lists.arthurdejong.org
RSS feed

Re: nslcd feature request (combined pam_authz_search)

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd feature request (combined pam_authz_search)



On Mon, 2012-04-23 at 21:53 +0400, Lior Goikhburg wrote:
> Here is a situation: I need to perform two different searches before
> authenticating a user:
> * a user object should have a attribute "host" set to the $hostname of
> the machine
> * a host object of $hostname shoud have an attribute "mode" set to
> "active"
> 
> It would be possible if I could specify more than one pam_authz_search
> parameter in nslcd.conf file.
> 
> A possible config block could look like this:
> 
> pam_authz_search 
> (&(objectClass=posixAccount)(uid=$username)(|(host=$host)(host=$fqdn)))
> pam_authz_search (&(objectClass=server)(mode=active))
> satisfy any
> 
> Any thoughts ?

It sounds interesting but I personally don't like the satisfy any syntax
much (Apache ACL's are a bit too complex for my taste).

Anyway, you can already accomplish the above, if it is OK if either of
the searches return any results, with the following:

pam_authz_search 
(|(&(objectClass=posixAccount)(uid=$username)(|(host=$host)(host=$fqdn)))(&(objectClass=server)(mode=active)))

Also note that you can use objectClass=$hostname instead of
objectClass=server.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/